---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: runtime-audit-engine
  namespace: d8-{{ $.Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" $.Chart.Name)) | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: d8:runtime-audit-engine
  {{- include "helm_lib_module_labels" (list . (dict "app" $.Chart.Name)) | nindent 2 }}
rules:
  - apiGroups:
    - extensions
    - ""
    resources:
    - nodes
    - namespaces
    - pods
    - replicationcontrollers
    - replicasets
    - services
    - daemonsets
    - deployments
    - events
    - configmaps
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - apps
    resources:
    - daemonsets
    - deployments
    - replicasets
    - statefulsets
    verbs:
    - get
    - list
    - watch
  - nonResourceURLs:
    - /healthz
    - /healthz/*
    verbs:
    - get
  - apiGroups:
    - deckhouse.io
    resources:
    - falcoauditrules
    verbs:
    - get
    - list
    - watch
  - apiGroups:
    - admissionregistration.k8s.io
    resources:
    - validatingwebhookconfigurations
    verbs:
    - create
    - list
    - update

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:runtime-audit-engine
  {{- include "helm_lib_module_labels" (list . (dict "app" $.Chart.Name)) | nindent 2 }}
subjects:
- kind: ServiceAccount
  name: runtime-audit-engine
  namespace: d8-{{ $.Chart.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:runtime-audit-engine
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: d8:runtime-audit-engine:rbac-proxy
  {{- include "helm_lib_module_labels" (list . (dict "app" $.Chart.Name)) | nindent 2 }}
subjects:
- kind: ServiceAccount
  name: runtime-audit-engine
  namespace: d8-{{ $.Chart.Name }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: d8:rbac-proxy
